Archived Presentations

Old presentations never die on the Internet.  This is just a listing of old presentations Phil has given.

SANS Training Events

FOR572: Advanced Network Forensics and Analysis

  • Course Beta #1: October 28 – November 2, 2013; Washington, DC
  • DFIRCON 2014: March 5 – 10, 2014; Monterey, CA
  • SANS 2014: April 7-12, 2014; Orlando, FL
  • SANS Security West 2014: May 10 – 15, 2014; San Diego, CA (With Simulcast)
  • Digital Forensics and Incident Response Summit: June 3 – 10, 2014; Austin, TX
  • SANSFIRE 2014: June 23 – June 28, 2014: Baltimore, MD
  • SANS Boston 2014: July 28 – August 2, 2014; Boston, MA
  • SANS vLive: August 5 – September, 11, 2014; Online
  • SANS Bangalore 2014: September 15 – 27, 2014; Bangalore, India
  • SANS Network Security 2014: October 20 – 25, 2014: Las Vegas, NV (With Simulcast)
  • Private SANS OnSite: October 27 – November 1, 2014; Rochester, MN
  • SANS Sydney 2014: November 10 – 22, 2014; Sydney, Australia
  • Cyber Threat Intelligence Summit: Feb 4 – 9, 2015; Washington, DC
  • DFIR Monterey: February 23 – 28, 2015; Monterey, CA (With Simulcast)
  • SANS Singapore 2015: March 16 – 21, 2015; Singapore
  • SANS 2015: April 13 – 18, 2015; Orlando, FL
  • SANS vLive: April 21 – May 28, 2015; Online
  • Private SANS OnSite: June 1 – 6, 2015; Augusta, GA
  • SANSFIRE 2015: June 13 – 20, 2015; Baltimore, MD
  • Digital Forensics and Incident Response Summit: July 9 – 14, 2015; Austin, TX (With Simulcast)
  • SANS San Jose 2015: July 20 – 25, 2015; San Jose, CA
  • Private vLive event: August 10-14, 2015; Online
  • SANS San Antonio 2015: August 17 – 22, 2015; San Antonio, TX (Co-teach with Ryan Johnson)
  • SANS Virginia Beach 2015: August 24 – September 4, 2015; Virginia Beach, VA
  • Network Security 2015: September 12 – 19, 2015; Las Vegas, NV
  • Community SANS: September 28 – October 3, 2015; Columbia, MD (Co-teach with Ryan Johnson)
  • SANS DFIR Prague 2015: October 5 – 10, 2015; Prague, Czech Republic
  • SANS vLive: October 20 – November 25, 2015; Online
  • SANS Cyber Defense Initiative 2015: December 14-19, 2015; Washington, DC
  • SANS OnSite: March 7 – 12, 2016; Blacksburg, VA (With Simulcast)
  • SANS 2016: March 14-19, 2016; Orlando, FL
  • SANS Secure Europe 2016: April 4-9, 2016; Amsterdam, Netherlands
  • SANS Threat Hunting and Incident Response Summit 2016: April 14-19, 2016; New Orleans, LA
  • SANS Security West 2016: April 29 – May 6, 2016; San Diego, CA
  • SANS Melbourne 2016: May 16-21, 2016; Melbourne, Australia
  • SANS vLive: May 23 – June 29, 2016; Online
  • SANSFIRE 2016: June 13-18, 2016; Washington, DC (With Simulcast)
  • Digital Forensics and Incident Response Summit: June 25-30, 2016; Austin, TX
  • SANS London in the Summer 2016: July 11-16, 2016; London, United Kingdom
  • Community SANS: August 15-20, 2016; Columbia, MD
  • SANS Virginia Beach 2016: August 28 – September 2, 2016; Virginia Beach, VA
  • SANS Network Security 2016: September 12 – 17, 2016: Las Vegas, NV
  • SANS DFIR Prague 2016: October 10 – 15, 2016; Prague, Czech Republic
  • SANS October Singapore 2016: October 31 – November 5, 2016; Singapore, Singapore
  • SANS London 2016: November 14 – 19, 2016; London, United Kingdom
  • Private SANS Onsite: November 21-26, 2016; Amsterdam, Netherlands
  • SANS Cyber Defense Initiative 2016: December 12-17, 2016; Washington, DC

Lethal Network Forensics

  • US Cyber Crime Conference: April 27 – 28 2014, Leesburg, VA

US Cyber Challenge Camp: Network Forensics

  • Moraine Valley Community College: August 13, 2013; Palos Hills, IL
  • University of Delaware: July 22, 2014; Newark, DE
  • Virginia Tech: June 23, 2015; Blacksburg, VA

FOR558: Network Forensics

  • Community SANS: February 6 – 10, 2012; Arlington, VA
  • Community SANS: October 14 – 19, 2012; Quantico, VA
  • Community SANS: February 25 – March 1, 2013; New York, NY

Formal Presentations

The Tap House“: This is a series of talks that focus on new and emerging topics in the Network Forensics arena.  No two talks will be quite the same, so feel free to stop in and see what’s new if you’re attending a SANS or other event where we’re holding an event.

Packets move pretty fast. The field of Network Forensics needs to move fast, too. Whether you are investigating a known incident, hunting unidentified adversaries in your environment, or enriching forensic findings from disk- and memory-based examinations, it’s critical to stay abreast of the latest developments in the discipline.

In this @Night series, Phil Hagen will discuss some of the latest technologies, techniques, and tools that you will want to know in pursuit of forensication nirvana.

Phil is also an avid craft beer fan, so there’s a good chance you will learn something about a new notable national or interesting local beer in the process.

This presentation will be helpful for those that wish to keep up-to-date on the most cutting-edge facets of Network Forensics.

  • Episode 0x00 – SANS @Night (SANS DFIR Summit 2015): July 10 2015; Austin, TX
  • Episode 0x00 – SANS @Night (SANS San Jose 2015): July 23, 2015; San Jose, CA
  • Episode 0x00 – SANS @Night (SANS Virginia Beach 2015): August 17, 2015; Virginia Beach, VA
  • Episode 0x00 – SANS @Night (SANS DFIR Prague 2015): October 6, 2015; Prague, Czech Republic
  • Episode 0x00 – SANS @Night (SANS Cyber Defense Initiative 2015): December 16, 2015; Washington, DC (Slides available here)
  • Episode 0x01 – SANS @Night (SANS Security West 2016): May 3, 2016; San Diego, CA
  • Episode 0x01 – SANS @Night (SANS London in the Summer 2016): July 13, 2016; London, England
  • Episode 0x01 – SANS @Night (SANS Virginia Beach 2016): August 30, 2016; Virginia Beach, VA
  • Episode 0x02 – SANS @Night (SANS October Singapore 2016): November 2, 2016; Singapore,  Singapore
  • Episode 0x02 – SANS @Night (SANS London 2016): November 17, 2016; London, United Kingdom
  • Episode 0x02 – SANS @Night (SANS Cyber Defense Initiative): December 14 ,2016; Washington, DC

Smartphone and Network Forensics Goes Together Like Peas and Carrots“: This is a special joint presentation with Heather Mahalik, SANS Senior Certified Instructor and course lead for SANS FOR585, Advanced Smartphone Forensics.

Although two distinct and critical forensic disciplines, there are strong ties between the smartphone and network aspects of the forensic process. Smartphone investigations cover myriad devices, operating systems, applications, and data storage mechanisms but a great deal of their functionality involves a single common technology – TCP/IP communications. On the other hand, hunting an attacker’s network activities within your environment often identifies endpoints including smartphones as relevant to the investigation, which need in-depth device analysis.

In this talk, Heather Mahalik, will address the smartphone side of this investigative coin as covered in SANS FOR585, Advanced Smartphone Forensics. Phil Hagen will look at things from the network side as covered in SANS FOR572, Advanced Network Forensics and Analysis. We connected several smartphone devices to a heavily instrumented wireless network, then conducted some typical smartphone-based activities on the devices. Heather will address the artifacts from the device-centric point of view, while Phil will examine the network evidence to see what can be learned about the on-device activities.

As often identified in the forensic process, a comprehensive approach is necessary to conduct a thorough investigation.

  • SANS @Night (SANS Network Security 2015): September 16, 2015; Las Vegas, NV (Slides available here)
  • Keynote Address (SANS South Florida 2015): November 9, 2015; Ft Lauderdale, FL
  • SANS @Night (SANS 2016): March 16, 2016; Orlando, FL
  • SANS Community Night (SANS Melbourne 2016): May 17, 2016; Melbourne, Australia
  • Techno Security & Forensics Investigations Conference: June 8, 2016; Myrtle Beach, SC
  • SANS @Night (SANSFIRE 2016): June 14, 2016; Washington, DC
  • Private event: September 8, 2016
  • SANS @Night (Network Security 2016): September 14, 2016; Las Vegas, NV

DNS Evidence: You Don’t Know What You’re Missing

With hundreds of network protocols used in a typical network environment, it’s easy to get overwhelmed during an investigation. Similarly, the technical and legal hurdles to proper full-packet-capture operations leaves critical gaps from evidence such as firewall logs, intrusion detection system logs, or NetFlow. However, regardless of the protocols used, the Domain Name System (DNS) is often a commonality that forensicators may overlook. DNS may not be glamorous, but it often provides critical insight and context during network forensic cases. Even alone, passive DNS logs can provide an excellent baseline of activity for any environment.  In this webcast, well explore some simple and effective ways to create logs of DNS traffic, what specific value they can provide for other evidence types, and how to exploit these logs at scale.

  • SANS Webcast: April 22, 2016 (Archived video available via link)

Passive DNS Logs: The Pulse of the Network

Although some network protocols are more commonly seen than others, the staggering reality is that there are thousands of protocols an analyst may encounter during the course of an investigation, incident response, or threat hunting program. Therefore, network forensic analysts will recognize great efficiencies by reviewing those which provide insight to many other protocols. A prime example is the Domain Name System, or DNS. By logging all DNS queries and their responses, it’s possible to characterize the nature of nearly every other protocol – even many undocumented, custom, and proprietary ones. This webcast will review several different methods one can use to log DNS activity or extract it from existing evidence, as well as analytic cases where it can provide decisive value by itself or as clarifying evidence in support of NetFlow and logs.

  • SANS Webcast: March 8, 2016 (Archived video available via link)
  • SANS @Night (SANS Threat Hunting and Incident Response Summit): April 15, 2016; New Orleans, LA
  • Private Event: November 30, 2016; Amsterdam, Netherlands

Convergence Forensics: Leveraging Multiple Skills to Analyze Evidence

One discipline is not enough to solve investigations relating to digital evidence. In this Keynote, Phil will expand on scenarios where multiple skills are needed to hunt and uncover evidence. Network Forensics, Memory Forensics, Malware detection, Malware analysis and Data Synchronization between smartphones, Mac and Windows computers may change the way you need to look at your evidence. Simply having tunnel vision in your field will limit your success! A change in your approach may change your success rate when examining digital media.

  • SANS @Night (SANS Threat Hunting and Incident Response Summit): April 14, 2016; New Orleans, LA
  • Private Event: November 29, 2016; Amsterdam, Netherlands

Emerging Trends in DFIR- Lightning Talks

Together with the SANS DFIR Faculty, we unveil the top Emerging Trends in DFIR in a series of lively, hard-hitting lightning talks (15 minutes each). Get a glimpse into the near future for incident response, threat hunting, cyber threat intelligence, and digital forensics.

  • SANS @Night (SANS Security West 2016): May 2, 2016; San Diego, CA

The Ukrainian Power Grid Cyber Attack: Forensics After Dark

On Dec 23rd, 2015 the lights went out in three different regions of Ukraine. A well funded group of threat actors orchestrated the first ever cyber attack on a power grid that caused outages. Immediately following the attack incident response was underway with many around the world watching a geopolitically tense situation between Ukraine and Russia. A week later, the SANS ICS team was able to confirm publicly that the power outages were the result of an intentional cyber attack and provide guidance to the rest of the world on protecting their power grid.

In this presentation, SANS Certified Instructors Alissa Torres, Anuj Soni, Phil Hagen, and Robert M. Lee will break down the attack step by step and show different forensic tools and techniques for malware analysis, memory forensics, network forensics, and threat intelligence as it related to this attack. You don’t have to be scared of the dark to want to keep the lights on.

  • SANS Keynote Presentation (SANS DFIR Summit 2016): June 25, 2016; Austin, TX

Network Forensics: Pre-Collected Evidence through Continuous Monitoring“: You never know what evidence you’ll need during an investigation until you really need it.  This problem is amplified when it still averages hundreds of days to discover a breach.  In this talk, we’ll discuss Network Forensic methodologies commonly used in hunt or investigative operations and how to pre-stage evidence collection platforms to support those tasks.

  • NSA Information Assurance Symposium 2015: June 29, 2015; Washington, DC

Logs, logs every where / Nor any byte to grok“: In this webcast, we will discuss Logstash.  Logstash is one tool that can be a very effective tool for examining log files from the wide variety of sources we tend to find in forensic casework. Although Logstash is a free and open-source solution intended for system and network administrators to observe live data, it can also provide great value to the forensicator, who must integrate disparate data sources and formats. New developments around Logstash also make it an ideal tool for the system-based forensicator as well, since supertimeline data can be integrated as well.

  • SANS Webcast: May 1, 2013
  • SANS @Night (SANS DFIR Summit 2014): June 3, 2014; Austin, TX
  • SANS @Night (SANS Boston 2014): July 31, 2014; Boston, MA
  • SANS @Night (SANS Bangalore 2014): September 25, 2014; Bangalore, India
  • SANS @Night (SANS Network Security 2014): October 23, 2014; Las Vegas, NV
  • SANS @Night (SANS Sydney 2014): November 12, 2014; Sydney, Australia

APT Attacks Exposed: Network, Host, Memory, and Malware Analysis“: This talk is perfect for those in the trenches or for those in management who really want to understand how a response team identifies and responds to these adversaries. What is it they are after? How did they get in? How did our systems fail to detect them? These questions and more will be answered in this presentation, which covers all major aspects of the incident response and forensic process.

  • DFIRCON 2014: March 5, 2014; Monterey, CA
  • SANS 2014: April 7, 2014; Orlando, FL
  • CEIC 2014: May 21, 2014; Las Vegas, NV

There’s GOLD in Them Thar Package Management Databases!“: There is a lot of useful file metadata stored in package management databases for popular Linux distributions.  The RedHat Package Manager (RPM) and Debian’s dpkg are two examples. We’ll focus on how to leverage RPM in forensic investigations, as it can provide a quick and effective way to find changed files that warrant more in-depth analysis.  We’ll also discuss potential shortfalls to consider in using this method.

  • SANS @Night (DFIRCON 2014): March 8, 2014; Monterey, CA
  • SANS @Night (SANS 2014): April 11, 2014; Orlando, FL

DHCP and DNS, ‘The Correlators’“: DHCP provides a vital link between network activity and the devices responsible for it. DHCP traffic and logs can often provide a quick and direct path to the malicious actor’s desk. On the other hand, DNS traffic and logs provide a “one-stop-shop” to assess network activity across an enterprise that typically uses dozens or hundreds of different protocols and services. Cross-referencing DNS activity with NetFlow/IPFIX data, HTTP proxy logs, or any other evidence containing hostnames or IP addresses can establish a clear understanding of malicious activity – even when the underlying data is encrypted or otherwise inaccessible.

Network Forensics and Analysis: Preparing for the Future of Investigations“: While the fast-paced forensic world can provide a “moving target” for managers to track, being aware of developing trends can help to ensure staff members are prepared for the “next thing” before it hits their caseload. Training examiners and investigators to perform comprehensive forensic casework will be the defining factor for organizations that successfully adapt to the network-centric landscape that lies ahead.

IT’S ALIVE!!! Investigating with Network-based Evidence“: Even seasoned disk- and memory-based analysts must consider how network analysis differs from traditional forensic work. We’ll discuss how a proactive approach can aid in the response to incidents that have not yet occurred… or not yet been discovered. We will also address the unique operational security (OPSEC) requirements inherent in network-based analysis. Incorrect handling of network evidence or analysis activities could cause the attacker to stay fully aware of your investigation’s progress, ensuring they remain one step ahead of the good guys.

Network Forensics: The Final Frontier (Until the Next One)“: Traditionally, computer forensic investigations focused on data from static data. Recently, memory analysis has become an integral part of forensic analysis. Now, data from network devices and the wires themselves is becoming necessary to complete our understanding of an event.  By knowing what existing data to ask for and what additional data to collect, we can provide a more comprehensive analysis of an event.

  • National Cyber Crime Conference: May 1, 2012; Boston, MA
  • DHS Computer Forensic Conference: July 25, 2012; Glynco, GA
  • High Technology Crime Investigation Association (HTCIA) Conference and Training Expo: September 17, 2012; Hershey, PA
  • SANS Webcast: September 28, 2012
  • HTCIA Northeast Chapter: January 25, 2013; New York, NY
  • SANS DFIR Monterey: February 24, 2015; Monterey, CA

What Evil Lurks in the Browsers of Man? The Network Knows!“: New web-based technologies like AJAX permeate the online experience.  What critical evidence may be overlooked while analyzing traditional browser artifacts and how can network forensics fill the gaps in our forensic investigation?

  • SANS360 (SANS CDI 2011): December 13, 2011; Washington DC

Digital Threat 2011“: A look at the evolving threats presented by online actors and how an Information Security strategy can be adopted or modified to better prepare for them.

  • Institute of Internal Auditors (IIA) 2011 Mid-Atlantic District Conference: October 20, 2011; Richmond, VA
  • US Special Operations Command (USSOCOM) Information Assurance Conference:  August 31, 2011; Tampa, FL

SQL Ginsu“: How using a database to structure and store large quantities of data from an investigation can simplify and improve the flexibility of the analytic process

  • SANS @Night (SANSFIRE): July 21, 2011; Washington, DC

Additional Engagements

2015 Cyber Security Summit, October 21, 2015; Boston, MA:  Moderated panel entitled “Corporate Espionage and Insider Threat – Monitoring Outlier Behavior that Indicates Malicious Intent”

Insider threat has been synonymous of late with terms such as breach, data leakage and a host of cyber security implications often aimed at the consumer. While personnel files, social security numbers, credit cards, and PII are often the target of attacks, corporations are now watching much more! What happens when a fast riser or even an uninspired employee decides to go to a competitor or launch his or her own endeavor?  What data, clients or even personnel are they exfiltration on the way out? How would you know? There are many identifiers and triggers that often go undetected. Insiders know how to go unnoticed (slow and low), just as malware finds its way through layers and layers of defenses. How do we defend against corporate espionage? What are the implications? What are the signs?

2015 Delaware Innovation Week Dev Talks: “The Path To More Secure Development is Somewhere Between an Racetrack and The Fury Road”

It’s no secret that a development team’s goals are at odds with those of a practical security process. Developers are rightfully focused on delivering a product that meets scope, budget, and schedule constraints. Security processes, however are often seen as unneeded impediments to those goals, not as critical components to success. However, developers don’t need to build for the “worst case scenario”. Rather, it is far cheaper and easier to build some basic security awareness into a development project at inception rather than near or after its release. In the Internet age, skimping on or ignoring security entirely is far too dangerous a road to choose. In this presentation, Phil will briefly discuss the reality of threats facing developers today, as well as some simple ways to mitigate the risks they present.

Other Events